Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview campaign now also includes a Fake Font sub-campaign that uses hijacked npm packages and 16 Go packages to deliver a Python infostealer on Windows, Linux, and macOS. The malware hides execution in a VS Code task that runs when a folder opens, retrieves stages from blockchain transaction data and TronGrid/Aptos, then sets up a Socket.io backdoor and steals credentials, wallets, and developer artifacts. The activity is tied to North Korean threat actors and continues to target developers with trusted-looking software supply chain abuse.
Related Happenings
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
How related:
"The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer."
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityHow related: "The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer."
About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
Campaign
H score9
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
CampaignAbout this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
Timeline
-
02.03.2026 10:44 3 articles · 4mo ago
Contagious Interview adds malicious npm packages and Pastebin-based Vercel C2
Campaign Scope UpdateNorth Korean Contagious Interview operators published 26 malicious npm packages to the npm registry, using install.js and vendor/scrypt-js/version.js to pull steganographically hidden C2 locations from Pastebin and Vercel-hosted infrastructure. The chain used ext-checkdin.vercel[.]app and 103.106.67[.]63:1244/1247 to deliver a cross-platform RAT and modules for VS Code persistence, keylogging, browser credential theft, TruffleHog secret scanning, and Git and SSH key exfiltration.
Show sources
- North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT — thehackernews.com — 02.03.2026 10:44
- npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels — thehackernews.com — 14.10.2025 10:09
- Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer — thehackernews.com — 29.06.2026 08:36
-
20.01.2026 20:41 3 articles · 5mo ago
Contagious Interview uses malicious VS Code projects against developers
Technical Analysis UpdateNorth Korean actors tied to Contagious Interview targeted developers with malicious Microsoft Visual Studio Code (VS Code) projects and cloned Git repositories that trigger tasks.json processing, runOn: folderOpen execution, and Vercel-hosted JavaScript payloads. The chain includes a macOS path using nohup bash -c with curl -s, a remote server at ip-regions-check.vercel[.]app, and follow-on payloads associated with BeaverTail, InvisibleFerret, Tsunami, TsunamiKit, XMRig, AnyDesk, and the malicious npm dependency grayavatar, enabling backdoor access, remote code execution, fingerprinting, keylogging, screenshots, and cryptocurrency mining.
Show sources
- North Korea-Linked Hackers Target Developers via Malicious VS Code Projects — thehackernews.com — 20.01.2026 20:41
- 'Contagious Interview' Attack Now Delivers Backdoor Via VS Code — www.darkreading.com — 22.01.2026 00:00
- North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware — thehackernews.com — 09.12.2025 20:25